Answered: [Security threat] tags are not sanitized in extra question field
Post date: 2020-07-01 00:44:51
Views: 226

Hey q2apro, I think you are testing the default q_view_extra($q_view); function.

The default function is still safe. But if you pull the content from the databse, it's not safe.

First, look! The script is stored in database.

database

Second, if create a function to pull that content form the datase:

public function q_item_extra($q_item)
{
$postidz = $q_item'raw']'postid'];
$extra = qa_db_read_one_value(qa_db_query_sub(
       'SELECT content FROM ^postmetas WHERE title="qa_q_extra" AND postid=#',
        $postidz
   ), true);
 
 //$extra = $q_item'extra']'content'];
 
        $this->output('My info:'.$extra);   
   
}

Here's the result:

test

I hope you'll get my point.
Please click Here to read the full story.
 
Other Top and Latest Questions:
Thursday's big stock stories: What’s likely to move the market in the next trading session
Iran war poses challenges to high-margin Middle East car market
JPMorgan Chase taps Dwyane Wade, Tom Brady for new athlete wealth management push
Dad is dying - how do I cope right now?
Social Media Poster - Auto-share your Q2A content everywhere
Odds of a Fed rate hike by June are now higher than the chances for a rate cut
Paradise: Jane
Oil jumps 4% as Iranian retaliatory strikes on Qatar’s key energy facility stoke supply worries
Vice President Vance to meet with oil industry as White House plans more actions to address fuel prices
Bain Capital taps buyer interest for Bridge Data Centres, offering up to 70% stake, sources say